Apperently this web site allows us to see who has tried log into our account...
After registered, we can log in. Once we are logged, we have access to an end point that shows every IPs that have tried and fail to log into our account
Since the synopsis talks about this page, we are pretty much assured that this end point is vulenerable. But where ?!
After a lot of failed tests, I remembered that the x-forwarded-for HTTP header informs about the client IP address. So I tried a log in request containing:
and see what happened:
XSS (even if I'am not a great fan)
I would have been more exited if the challenge was about template injection, but i tried without success, so let's deal with XSS...